From 00c32c2cc609548c403f8977d38fece67deb5c29 Mon Sep 17 00:00:00 2001 From: evilsocket Date: Thu, 30 Aug 2018 12:30:08 +0300 Subject: [PATCH] new: net.sniff now will parse and print mDNS query responses --- modules/net_sniff_mdns.go | 60 ++++++++++++++++++++++++++++++++++++ modules/net_sniff_parsers.go | 2 ++ 2 files changed, 62 insertions(+) create mode 100644 modules/net_sniff_mdns.go diff --git a/modules/net_sniff_mdns.go b/modules/net_sniff_mdns.go new file mode 100644 index 00000000..ea1344a2 --- /dev/null +++ b/modules/net_sniff_mdns.go @@ -0,0 +1,60 @@ +package modules + +import ( + "strings" + + "github.com/bettercap/bettercap/core" + "github.com/bettercap/bettercap/packets" + + "github.com/google/gopacket" + "github.com/google/gopacket/layers" + + "github.com/miekg/dns" +) + +func mdnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool { + if udp.SrcPort == packets.MDNSPort && udp.DstPort == packets.MDNSPort { + var msg dns.Msg + if err := msg.Unpack(udp.Payload); err == nil && msg.Opcode == dns.OpcodeQuery && len(msg.Answer) > 0 { + m := make(map[string][]string) + for _, answer := range append(msg.Answer, msg.Extra...) { + switch rr := answer.(type) { + case *dns.A: + name := rr.Header().Name + if _, found := m[name]; found == false { + m[name] = make([]string, 0) + } + + m[name] = append(m[name], answer.(*dns.A).A.String()) + + case *dns.AAAA: + name := rr.Header().Name + if _, found := m[name]; found == false { + m[name] = make([]string, 0) + } + + m[name] = append(m[name], answer.(*dns.AAAA).AAAA.String()) + } + + } + + for hostname, ips := range m { + NewSnifferEvent( + pkt.Metadata().Timestamp, + "mdns", + ip.SrcIP.String(), + ip.DstIP.String(), + nil, + "%s %s : %s is %s", + core.W(core.BG_DGRAY+core.FG_WHITE, "mdns"), + vIP(ip.SrcIP), + core.Yellow(hostname), + core.Dim(strings.Join(ips, ", ")), + ).Push() + } + + return true + } + } + return false +} diff --git a/modules/net_sniff_parsers.go b/modules/net_sniff_parsers.go index d86821ef..58ed68fe 100644 --- a/modules/net_sniff_parsers.go +++ b/modules/net_sniff_parsers.go @@ -45,6 +45,8 @@ func udpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) { if dnsParser(ip, pkt, udp) { return + } else if mdnsParser(ip, pkt, udp) { + return } else if krb5Parser(ip, pkt, udp) { return } else if verbose {